Recently, there was a piece on password managers on The Today Show on NBC. The tech guy was blazing through a number of apps for phones since he has such a short period of time to cover what is apparently a lot of ground. Normally, I would have ignored such a presentation. It is generally just so much fluff, after all, relegated to the third or even fourth half hour of a morning newstainment program. Anything even remotely non-fluffy happens in at least the first hour and if it’s actually grounded in reality and based on actual, topical events, it’s in the first half hour. Here we have a short piece that’s essentially lifestyle in nature. No big deal, right? However, there was a big red flag for me that was just inaccurate that needed to be addressed.
The presenter, who shall remain nameless so I don’t besmirch his knowledge or character here, told Matt Lauer that password managers are great so you have all of your passwords (because we all use a different password for every login and Web page we use, right?) in one place. This means you don’t forget them. All you need to do is be able to get into the password manager. Here’s the rub, though. Because you have very helpfully collected them all in one place, you have made it considerably easier for an attacker. All the attacker needs to do is get into your password manager.
Not so fast, you say, as said the aforementioned presenter. You have been informed that the very strongest of encryption is in use within this password manager, making it impregnable. This is the delusion and misunderstanding when it comes to encryption. Encryption is only helpful if someone comes across a file or a disk by itself that has been encrypted. If you run across a stray disk that has been encrypted using something like the Advanced Encryption Standard (AES) with a very large key, say 256 bits, you are going to have a very hard time getting into the drive, unless the key has been somehow attached to the drive. And this is where we have a problem with devices and files that have been encrypted.
In essence, the key is stored with the encrypted data. All someone needs to do is gain access to the password manager using your credentials and the data is unlocked. Just as it would be for you, because the app has no idea it’s not you. Password managers that use a single password, regardless of how strong it is, are vulnerable to attack because all someone needs to do is get that one password and they have your entire cache of passwords. That’s it. It doesn’t matter whether then underlying file is encrypted. Or even if each individual password is encrypted. The passwords will need to be presented to you in the clear if they are to be of any value so if you can authenticate to the password manager, so can the attacker.
Aha, you say! You use your fingerprint. Biometrics to the rescue. The problem with that particular theory is that while your fingerprint may be yours and yours alone, your fingerprint can be acquired. And used against you. Fake fingerprints can be used to fool fingerprint scanners on mobile devices and frankly most any device looking for your fingerprint. You use your fingerprint to get into your password manager but you leave your fingerprints all over the place. It’s not that challenging to acquire your fingerprint and if an attacker can get your phone — either because you left it on your desk while you stepped out of your office for a moment or because they simply stole it from your pocket or purse — they can get access to your passwords from your password manager.
This is not to say that you shouldn’t use a password manager. A determined attacker is probably going to find a way to get your passwords. If it’s not you, it will be someone else and they may get your password by gaining access to a system by way of that someone else. However, if someone gains clear text access to your passwords, it won’t matter a bit how strong they are. You can use a 32-character passphrase with upper and lower case, numbers and symbols. If it’s stored in your password manager and an attacker gets access to your password manager, strength of password doesn’t matter.
If your password manager stores your passwords on an Internet-based storage medium (sometimes called “in the cloud,” though the term is misleading to say the least), there is now a second way an attacker can get access to your data. This is especially true if there is a Web portal for you to look at your passwords or pull them down to use in Web forms through your browser. Now your fingerprint is no longer in play. It’s just down to that username and password combination.
Ideally, sites you visit regularly that store data you actually care about (aside from the throwaway e-mail address you use to log into sites you don’t much care about, for instance) would support two-factor authentication. This means a username and password (something you know) as well as either a soft token (Google Authenticator, Facebook Code Generator) or a text message to your cell phone (something you have). These two factors together can help protect your login access by requiring the attacker to both know your password and either have your phone or be able to intercept data like a text message.
Being aware of the potential challenges of various applications can help you make informed decisions. If you don’t understand what you are signing up for, you are not engaged in informed consent and you certainly are not engaged in managing the risk.
